Buildinfo in the Debian archive, updates

Daniel Kahn Gillmor dkg at
Fri Nov 18 22:49:24 UTC 2016

Hi all--

On Mon 2016-11-14 12:13:00 -0500, Ximin Luo wrote:
> A GPG signature with a 4096-bit key is about 800 bytes in base 64:
> (has 2 signatures, if you use `gpg --list-packets`)
> so it would be about 600 bytes compressed. Across 24000 source packages, this would be 
> 600 * 24000 ~= 13.7MB
> per architecture (including for arch:all). This doesn't seem too bad actually.

If size is a concern, we can make this much smaller by using ed25519 or
ecdsa P256 signatures from the buildd's instead of RSA 4096.  gpgv in
Debian stretch is able to validate these signatures, and gpg in Debian
stretch is able to produce them.  This should reduce the total size of
the signatures to about ~1MiB per architecture, if i'm calculating this

> In total, this would be (9+13)*2 (one arch:all, one arch:$native) ~=
> 50MB download, which considering the advantage of not having to
> contact a 3rd party, I think is just about worth it, even if you only
> want to rebuild a few packages.

Can you explain this computation?  i'm assuming 9 is the number of
debian architectures.  If an architectures builds both arch:all and
arch:$native, it can do it in a single build, producing a single
(signed) buildinfo file.  right?  so why the 2?

so the extra cost of the signatures is ~9*13 -- one signed
copy from each architecture's buildd, which is 104MB.  Using smaller
signing keys on the buildd's sounds better to me.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 962 bytes
Desc: not available
URL: <>

More information about the Reproducible-builds mailing list